2) Analyze Outbound Connections:
a. Many HTTP Get requests for long filenames
b. Many HTTP Post requests (careful not to trip on all that streaming media traffic)
c. Anomalies on any other outbound protocol you allow outbound

5) User Awareness Training:
a. Condition your users to be skeptical and to avoid clicking on things from people they do not know and/or are not expecting.
b. Setup a deterrence program by punishing those that do not think before they click.

The above list is meant to be generic, but hopefully it gives you a place to start or focus on. As always your feedback is welcome...